GDPR

GDPR compliance
for Shopify merchants.

The EU General Data Protection Regulation (Regulation 2016/679) governs how personal data of EU + EEA residents can be collected, processed, and stored. If your Shopify store ships to or markets to anyone in the EEA, GDPR applies. Here's the playbook.

Effective May 25, 2018 Up to €20M or 4% of global turnover No US-style cure period
/ Maximum fine
€20M
Or 4% of global turnover
Whichever is higher. Major fines (Meta €1.2B, Amazon €746M) prove the cap isn't theoretical.
/ DPA enforcement
27
EU member-state DPAs
Each member state has its own Data Protection Authority. CNIL (France) and Irish DPC are the most active.
/ Breach notice
72h
Notification window
Personal data breaches must be reported to your supervisory authority within 72 hours of awareness.
01 / Who must comply

Territorial reach.

GDPR applies to any organization that processes personal data of EEA residents (the EU 27 + Iceland, Liechtenstein, Norway), regardless of where the organization itself is based. For a Shopify merchant:

  • You ship to the EEA. Even one shipping option to Germany triggers it. The territorial scope is "offering goods or services to" EEA residents.
  • You market to the EEA. A Facebook ad targeted at France, EUR pricing on the storefront, a German-language store locale — all evidence of marketing to EEA residents and bring you in scope.
  • You're physically located in the EEA. Then GDPR applies regardless of your customer base.

Most US-based or Canada-based Shopify merchants with international shipping fall under territorial scope. The "we don't do business in Europe" defense rarely holds up if the storefront is technically reachable from the EEA without geo-blocking.

02 / What it requires

The four core obligations.

/ Lawful basis

Have a reason to process

Each act of personal data processing needs one of six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interest). For marketing cookies on an e-commerce store, that's almost always consent — which means a banner.

How we verify Scanner detects whether your store has a cookie banner present and active. +10 pts

/ Granular consent

Per-purpose opt-in

Consent must be specific, informed, freely given, and granular (per-purpose, not blanket). Pre-checked boxes are not consent. Cookie walls (no consent = no access) are generally invalid. The banner needs Accept, Reject, and Preferences with equal prominence.

How we verify Auto-blocker check + tracker hygiene flags non-essential pixels firing pre-consent. up to 20 pts

/ Data subject rights

Honor requests

Visitors have the right to access their data, correct it, delete it, port it, and object to processing. You need a way to receive and respond to requests within 30 days. A privacy policy with a contact and a clear request mechanism is required.

How we verify Policy parser checks for rights disclosures and a documented contact mechanism. +10 pts

/ Privacy policy

Disclose everything

Article 13/14 require disclosing what data you collect, why, who you share with, retention periods, the lawful basis used, contact for the data controller, and rights available. Generic Shopify boilerplate doesn't satisfy this; a policy that names the actual trackers in use does.

How we verify Scanner finds your policy URL and parses it for Article 13/14 key terms. +20 found / +10 complete

03 / How ClearConsent helps

The compliance toolkit.

Scan your store

Real-browser audit identifies every tracker, cookie, and signal. Reports a 0–100 GDPR score with per-requirement breakdown showing exactly what's missing.

Deploy compliant tools

Hosted banner with EU/EEA opt-in mode (Accept/Reject/Preferences with equal prominence), GCM v2 wired in, auto-blocker holding GA4/Meta until consent fires.

Document continuously

Privacy policy generated from the actual scan (names trackers found), consent log retained for 1 year, weekly auto-rescans catching new pixels, PDF + Excel reports for DPO review.

04 / Enforcement reality

What actually happens.

The headline €20M / 4% turnover cap gets the press, but small Shopify merchants are more likely to encounter:

  • Complaints from individual visitors filing with their local DPA (no special standing required). The DPA writes to you for explanation; ignore that letter and the complaint becomes an investigation.
  • Cookie-banner-specific actions by CNIL (France), AEPD (Spain), or Garante (Italy). These DPAs have explicitly fined small businesses for non-compliant banners; six- and seven-figure fines on small e-commerce stores are a documented pattern.
  • Class-action-style noyb (none-of-your-business) complaints filed by privacy advocacy groups against multiple merchants simultaneously. Max Schrems' organization regularly files these and they have a track record of leading to enforcement.

Realistically, a small Shopify merchant's GDPR risk surface is the cookie banner and privacy policy. Get those right and the rest of the regulation is mostly business-process rather than tech-stack. Get them wrong and the path to enforcement is very short.

Check your store

See your GDPR score.

Free on the home page. The diagnostic produces a per-law GDPR breakdown showing exactly which requirements you're hitting and which you're missing. No sign-up; 60 seconds.

Run the diagnostic All privacy laws →